Scribd
Upload
116 views

7.4 Mitigate ARP Attacks

Uploaded by

Thoriq Thoriq
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
116 views

7.4 Mitigate ARP Attacks

Uploaded by

Thoriq Thoriq
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 6

7.

4 Mitigate ARP Attacks

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 40
Mitigate ARP Attacks
Dynamic ARP Inspection
In a typical ARP attack, a threat actor can send unsolicited ARP replies to other hosts on
the subnet with the MAC Address of the threat actor and the IP address of the default
gateway. To prevent ARP spoofing and the resulting ARP poisoning, a switch must ensure
that only valid ARP Requests and Replies are relayed.

Dynamic ARP inspection (DAI) requires DHCP snooping and helps prevent ARP attacks
by:
• Not relaying invalid or gratuitous ARP Replies out to other ports in the same VLAN.
• Intercepting all ARP Requests and Replies on untrusted ports.
• Verifying each intercepted packet for a valid IP-to-MAC binding.
• Dropping and logging ARP Replies coming from invalid to prevent ARP poisoning.
• Error-disabling the interface if the configured DAI number of ARP packets is exceeded.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 41
Mitigate ARP Attacks
DAI Implementation Guidelines
To mitigate the chances of ARP spoofing and
ARP poisoning, follow these DAI
implementation guidelines:
• Enable DHCP snooping globally.
• Enable DHCP snooping on selected
VLANs.
• Enable DAI on selected VLANs.
• Configure trusted interfaces for DHCP
snooping and ARP inspection.
It is generally advisable to configure all access
switch ports as untrusted and to configure all
uplink ports that are connected to other
switches as trusted.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 42
Mitigate ARP Attacks
DAI Configuration Example
In the previous topology, S1 is connecting two users on VLAN 10.
• DAI will be configured to mitigate against ARP spoofing and ARP poisoning attacks.
• DHCP snooping is enabled because DAI
requires the DHCP snooping binding
table to operate.
• Next, DHCP snooping and ARP
inspection are enabled for the PCs on
VLAN10.
• The uplink port to the router is trusted,
and therefore, is configured as trusted for
DHCP snooping and ARP inspection.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 43
Mitigate ARP Attacks
DAI Configuration Example (Cont.)
DAI can also be configured to check for both destination or source MAC and IP
addresses:
• Destination MAC - Checks the destination MAC address in the Ethernet header
against the target MAC address in ARP body.
• Source MAC - Checks the source MAC address in the Ethernet header against the
sender MAC address in the ARP body.
• IP address - Checks the ARP body for invalid and unexpected IP addresses including
addresses 0.0.0.0, 255.255.255.255, and all IP multicast addresses.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 44
Mitigate ARP Attacks
DAI Configuration Example (Cont.)
The ip arp inspection validate {[src-mac] [dst-mac] [ip]} global configuration command is
used to configure DAI to drop ARP packets when the IP addresses are invalid.
• It can be used when the MAC addresses in the body of the ARP packets do not match
the addresses that are specified in the Ethernet header.
• Notice in the following example how only one command can be configured.
• Therefore, entering multiple ip arp
inspection validate commands
overwrites the previous command.
• To include more than one validation
method, enter them on the same
command line as shown in the output.

© 2016 Cisco and/or its affiliates. All rights reserved. Cisco Confidential 45

You might also like